“About Those So-Called ‘Russian’ Hackers…”
by Karl Denninger
“Let’s focus just for a minute on the oft-repeated claim that the US Government’s “agencies” have “declared” that Russia is behind the Podesta (and other) Wikileaks releases- that is, they stole the data. There’s no evidence to support that which passes even the most-rudimentary sniff test. You have one guy who’s made that claim in the US- Clapper. The same Clapper who knowingly lied before Congress in the past. Yes, that Clapper.
Now it is certainly true that Russia is likely capable of such a hack. Then again the hack itself, as I’ve pointed out, isn’t especially surprising given that it appears many of these “email accounts” have been sitting on public cloud-provided email services. By definition such ‘services’ are not secure and cannot be made secure.
That people like Podesta are using them for sensitive private matters (which the government is NOT entitled to copies of) such as campaign work is proof of their stupidity- and little more.
Folks, I can set anyone up with a system that is virtually hack-proof for email, yet for those emails where you don’t care about security you can still exchange them with anyone else. I use such a system myself, built by myself. Key to this sort of design is that unencrypted emails that you wish to be secure against tampering, interception or both are never stored on the server.
This is obviously unsuitable for the government and its official business (which is why they don’t do that) because the government relies on being able to see what is going on both for routine business purposes and to comply with FOIA requests. Obviously a classified network is an entirely different thing but an unclassified network used for government business stores and distributes unencrypted email because if it was otherwise nobody, including legitimate government oversight organs, could access it!
Let’s assume you want to send me a secure email. All you need to do is email me first, and ask me to reply to you. Doing so will give you my public key for S/MIME. You now use that key to encrypt your message (which modern email clients can do automatically) and send me the message you wish to send “securely.” Commonly-available client software which can do this includes Outlook (Microsoft’s), Thunderbird, BlackBerry’s Android phones (the Priv and DTEK50) and reasonably-recent Apple iPhone software, among others. You can obtain a key pair for such a purpose from a number of places on the Internet, some of them free, and the better ones do not require that anything other than your public key ever touch their infrastructure, so the risk of them leaking your private key to others is zero (since they are never in possession of it.)
Said email can then pass through however many systems and be stored in however many places but if stolen it is unreadable (unless you saved an unencrypted copy in your “sent” folder), because the only place my private key happens to reside is on devices that I have physical control of. It is most-specifically not on the server where the email resides!
Here’s the important point to remember when it comes to public key cryptography: Once you encrypt the message to send it not even you can decrypt it again! That is, the key you used for encryption is worthless to decrypt; you need the other half and you don’t physically have it nor is it on the server. Only the person you targeted the transmission toward has it.
So now to break in and steal that email you cannot “just” break into my server and steal the database or files full of messages (you get a bunch of encrypted messages, which you can’t read) nor can you intercept the messages while they’re being sent (ditto.) Instead you have to steal both the encrypted message and an unlocked copy of my private key, which exists in unlocked form only while I’m actually using it and it is only present on my personal devices.
In other words you now have to catch me, personally, using said key and manage to get the device out of my hands and into yours, then get said device to divulge the key, before the device locks itself or detects your attempt at tampering (at which point you’re screwed since they key is no longer unlocked and/or it has been destroyed!)
Is this possible? Sure. But it’s a hell of a lot harder than stealing the email itself. Why do you think the FBI, when they go to bust someone they think might be doing something illegal (like trafficking in kiddie porn) always want to catch the perp with his computer on and unlocked? It is for this very reason- seizing a computer that has an encrypted disk but is turned off is frequently going to result in them having exactly zero means of retrieving whatever is on there. The only way around that is if there is a back door that will trick said device into divulging the encryption key (such as was the case for the infamous California shooter’s iPhone.)
So what we have here is a group of people who are intentionally using insecure means to communicate and then whining when one of their own people leaves the front door unlocked. Does this require some “Grade A” hacker to break in and rip it all off? Oh hell no it doesn’t; in fact, all it requires is that you be stupid, and apparently plenty of these people are.
Where did the hackers come from? I strongly doubt it was Russia. I would not be at all surprised to discover that it’s nothing more than third-rate folks who send out spams that look like “password reset” requests; it only takes one time you fall for that and then, well… yeah. (Or something equally stupid, such as using the same password in a dozen different places, some of which use insecure hashing systems, one of those files gets stolen and the password cracked. Now I don’t have to break into anything since I have the actual password!)
All of this underlies one reality that I pointed out in an earlier column though
, which is why none of the media will talk about this, why my phone hasn’t rung with a request for an interview on the matter nor has anyone else’s who knows what they’re talking about: The moment it gets into the public consciousness that “cloud” computing is never secure at any time any a key is on said cloud or unencrypted data is stored or used there the “value” of all these public cloud companies, which are a huge part of the valuation bubble in the stock market today collapses.
So, to summarize:
• The campaign is full of stupid people who have been passing around sensitive data without encryption. These are the people who the candidate, incidentally, thinks ought to be running in the country if she wins. It ought to be obvious that putting stupid people in public office is a bad idea.
• There are moderately easy ways to avoid this problem for sensitive communications where no central authority needs to be able to get to them for legitimate purpose. The campaign decided not to do that, however, which goes directly to point #1- they’re stupid.
• Responding to a question about a leaked email with a “where did you get that” sort of response is demonstrable evidence that the allegations raised about said content are true. If they’re false (that is, the email was falsified and not really sent) then you’d instead get a categorical denial. Why would someone ask “where you got it” if they never said it in the first place? A denial doesn’t mean that the allegation isn’t true, but questioning the source instead of the content is nearly-always an admission that the content is factual. Use your head folks.
• The underlying issue related to these hacks is that so-called “public cloud” providers are insecure if, at any time, unencrypted data or the keys to decrypt said data are on said machines. The value of a whole bunch of “new economy” bubblicious companies depend on this not making it into wide public consciousness because the minute that it does nobody is going to consent to their health data, their financial data or anything else that’s personal and sensitive being put on this sort of infrastructure ever again.
In other words blaming Russia is a distraction intended to keep you from paying attention to both the content of the emails (which certainly appear to be factual given the reaction to their release thus far) and the fact that a whole host of data about you is being similarly stored in similarly-insecure fashion by literally thousands of companies.”